Outdated Embedded Browsers in Devices Pose Security Risks, Study Finds

======================================================================

Web browsers on desktop and mobile devices regularly receive security updates, but those integrated into game consoles, televisions, e-readers, cars, and other connected devices often do not. This gap leaves users vulnerable to phishing attacks and other security threats.

Research Highlights Hidden Risks in Device Browsers ----------------------------------------------------

A team from the DistriNet Research Unit at KU Leuven in Belgium has shed light on this issue. Their recent study reveals that many newly released devices come equipped with browsers that are several years old and contain known security flaws.

The CheckEngine Framework

To assess these embedded browsers, researchers developed a crowdsourced evaluation tool called CheckEngine. Participants received unique URLs to test the embedded browsers on their devices between February 2024 and February 2025. The study collected data from 76 entries representing 53 different products and 68 software versions.

Findings from the Study

• Obsolete Browsers: In 24 out of 35 tested smart TVs and all five e-readers, the embedded browsers were at least three years behind the current desktop browser versions.
• At Release: Alarmingly, many devices launched with browsers that were already outdated. For example, eight products included browsers over three years old at the time of market release.
• Lack of Updates: Some device manufacturers do not provide security updates despite advertising free updates, leaving vulnerabilities unpatched.

Case Studies of Vulnerability

• Boox Note Air 3 (January 2024): Ships with NeoBrowser based on Chromium 85 (August 2020). Despite multiple updates, the browser remained unpatched, and the lack of a proper security reporting channel was noted.
• Gaming Applications: Testing on Steam, Ubisoft Connect, and AMD Adrenalin revealed outdated Chromium versions (109 and 126). Researchers found potential for phishing via URL spoofing but did not observe exploitable vulnerabilities.

Impact and Regulatory Context -----------------------------

The EU Cyber Resilience Act, active since December 2024, aims to enforce security standards for connected devices by December 2027. Many products evaluated by KU Leuven still do not meet these legal requirements.

Challenges in Updating Embedded Browsers ----------------------------------------

The study points to several reasons for these outdated browsers:

• Bundled Frameworks: Many browsers are integrated via frameworks like Electron, which bundle browsers with other components. Updating them often requires comprehensive updates to the entire system, making maintenance complex.
• Vendor Inattention or Deliberate Neglect: Some manufacturers simply do not prioritize browser security updates or fail to implement necessary patches.

Specific Cases and Vulnerabilities

• Steam: Included similar Chromium-based browsers with vulnerabilities that could facilitate phishing attacks through origin spoofing.
• Ubisoft Connect: Used a Chromium 109-based browser configured with dangerous flags like `--no-sandbox`, increasing security risks.
• AMD Adrenalin: Showed address bar spoofing in browsers based on Chromium 112, with the vendor working on fixes.

Recommendations and Conclusion ----------------------------

The researchers suggest that relying solely on consumer awareness or voluntary updates is insufficient. Instead, they advocate for binding regulations requiring manufacturers to ensure the security of embedded browsers.

In summary, the study underscores a widespread issue: many devices ship with outdated and insecure embedded browsers that remain unpatched long after their release, exposing users to unnecessary security risks. Enhanced regulation and accountability are essential steps toward safer connected devices.

---